02-02-2011 09:39 AM
per documentation and training...i have always seen nat applied..using an accesss-list to define traffic,
class and policy maps than applied to an interface
howerver i ran across this configuration and wondering what exaclty it is doing..it seems overly simplified
I will post the only mention of NAT in the config
class-map match-all CUSOMERC-VIP
2 match virtual-address 172.20.200.33 tcp eq www
policy-map multi-match VIPs
class CUSOMERC-VIP
loadbalance vip inservice
loadbalance policy CUSOMERC-POLICY-L7
loadbalance vip icmp-reply active
nat dynamic 722 vlan 722
interface vlan 120
ip address 10.11.20.8 255.255.255.0
peer ip address 10.11.20.9 255.255.255.0
no normalization
no icmp-guard
access-group input any
nat-pool 120 10.11.20.30 10.11.20.30 netmask 255.255.252.0 pat
service-policy input ALLOW_ICMP_POLICY
interface vlan 722
ip address 172.20.200.4 255.255.255.0
alias 172.20.200.10 255.255.255.0
peer ip address 172.20.200.5 255.255.255.0
no normalization
access-group input any
nat-pool 722 172.20.200.20 172.20.200.20 netmask 255.255.255.0 pat
service-policy input VIPs
service-policy input ALLOW_ICMP_POLICY
no shutdown
could this be considered a proper configuration?..i don't even see global service policies which reference NAT
when i hit the vip of CUSOMERC-VIP it doesn not appear that i am being translated.but do show a connection
apptier# sh xlate
apptier# sh conn | inc 172.20.200.33
1624825 1 in TCP 722 172.20.34.70:3481 172.20.200.33:80 ESTAB
Solved! Go to Solution.
02-03-2011 05:44 PM
First of all, it is more important to understand why nat is needed in ACE environment. Asymetric routing is often not accepted by loadbalancers. Therefore, you will need to check the reverse path making sure the server will respond to the client THROUGH the ACE.
Here is common topology you should use the nat on ACE.
client----- internet ---- router1 --- vlan10 -- ACE --- vlan 20 --- router2 --- serverfarm -- server1
| |
eth1 eth2
|_______________________________|
Let's say
client ip : 64.1.1.1
server1 : 40.1.1.1
vip address on vlan 10 of ACE : 10.1.1.10
int vlan 10 of ACE is : 10.1.1.1
int vlan 20 of ACE is : 20.1.1.1
int eth1 of router1 : 30.1.1.1
int eth2 of router2 : 30.1.1.2
1. client sends tcp request to the vip address. So the first packet will be tcp syn and its address should be source with client ip : 64.1.1.1 and dest with vip address on vlan 10 of ACE : 10.1.1.10.
2. If there is no routing issue, this request should get to the ACE and the ACE will go through classification to see if the request hits the vip or not.
3. If the request hits the vip, then the ACE will make forwarding decision to the serverfarm. When this happens, the ACE will be doing destination natting. i.e. the ACE will only replace the dest ip from vip to server1. So the address should be like source with client ip : 64.1.1.1 and dest with server1 : 40.1.1.1.
4. When the server receives this request, the server1 will respond to the client 64.1.1.1. So the reponse packet should be syn/ack and its address should be source with server1 : 40.1.1.1 and dest with client ip : 64.1.1.1.
5. This response will get to the router2 and if the router thinks shortest path to the client1 is via eth2, then the response will bypass the ACE.
6. This is the problem I said earlier as asymmetric routing.
7. The client sends the request with client ip : 64.1.1.1 and dest with vip address on vlan 10 of ACE : 10.1.1.10 but the response with source with server1 : 40.1.1.1 and dest with client ip : 64.1.1.1.
8. The client will reset the connection.
So let's apply dynamic natting to the ACE to avoid this sort of failure.
access-group input any
class-map match-all CUSOMERC-VIP
2 match virtual-address 10.1.1.10 tcp eq www
policy-map multi-match VIPs
class CUSOMERC-VIP
loadbalance vip inservice
loadbalance policy CUSOMERC-POLICY-L7
loadbalance vip icmp-reply active
nat dynamic 20 vlan 20
interface vlan 10
ip address 10.1.1.1 255.255.255.0
service-policy input VIPs <<<<-----
access-group input any
interface vlan 20
ip address 20.1.1.1 255.255.255.0
access-group input any
nat-pool 20 20.1.1.30 20.1.1.30 netmask 255.255.252.0 pat <<<-----
Now two things to remember.
+ We apply the service policy to the incoming interface which is int vlan 10 in this case.
+ We need to change the client source ip to the natted ip as per the nat-pool. This should be applied to the outgoing interface vlan 20.
So thus a sequence to process the dynamic natting for the request should be
service-policy input VIPs --> policy-map multi-match VIPs ---> class CUSOMERC-VIP ----> loadbalance policy CUSOMERC-POLICY-L7 ---> nat dynamic 20 vlan 20
Step1. request comes to int vlan 10. Then it will check "service-policy input VIPs".
Step2. since the service policy applied to the int vlan 10, it will check "policy-map multi-match VIPs".
Step3. "policy-map multi-match VIPs" comtains only one class-map which is "class CUSOMERC-VIP" and the ACE will check if the request hits the vip defined on the class-map.
Step4. Once it verifies if this is good request, then the ACE will find associated "policy-map type". The policy-map type basically perform "forwarding deciscion" which is load balaincing to the serverfarm.
Step5. However, we has defined one more condition to perform "natting" with " nat dynamic 20 vlan 20".
Step6. when the ACE performs the natting, it will change the client source ip to the natted ip with nat-pool 20 which applied on int vlan 20.
I hope this clarifies your question.
-Andrew
02-02-2011 08:22 PM
The config looks to be ok. However just one condition.
Your vip address is 172.20.200.33 and sitting on vlan 722. So your client side vlan is the vlan 722. This is ok. However, your nat statement applied to the same vlan 722. So your server should be in the vlan 722. If the request is not sent to this particular vlan, the nat will not happen.
Here is the explanation.
..
policy-map multi-match VIPs
class CUSOMERC-VIP
loadbalance vip inservice
loadbalance policy CUSOMERC-POLICY-L7
loadbalance vip icmp-reply active
nat dynamic 722 vlan 722 <<<----
interface vlan 722
ip address 172.20.200.4 255.255.255.0
alias 172.20.200.10 255.255.255.0
peer ip address 172.20.200.5 255.255.255.0
no normalization
access-group input any
nat-pool 722 172.20.200.20 172.20.200.20 netmask 255.255.255.0 pat
service-policy input VIPs
service-policy input ALLOW_ICMP_POLICY
no shutdown
..
Now look closely with "nat dynamic 722 vlan 722" cmd.
The above cmd basically tells the ACE to make action when the request leaves the ACE.
So the ACE will change client source ip address of the packet to natted ip. Your natted ip will be 172.20.200.20. This change will happen only if the request leaves the ACE to the vlan 722. The first "722" refers to "nat-pool 722" and the "vlan 722" specifies the outbound interface after the LB decision (i.e. forwarding to the serverfarm).
I hope this answers your question.
-Andrew
02-03-2011 09:20 AM
thx.
so trying to understand this
we can assume that the only time a NAT will happen is when a "user" attempt to hit that particular VIP?
other than that...any user trying to hit another VIP which is in the same VLAN 722 will not be NAT'd
unless we add that nat dynamic statement under the Layer 3 class map?
if for example i wanted to nat all "user incoming to that vlan" i would simpley creat an access list with a permit "any any"
and than apply that to a class map and than policy map?
02-03-2011 05:44 PM
First of all, it is more important to understand why nat is needed in ACE environment. Asymetric routing is often not accepted by loadbalancers. Therefore, you will need to check the reverse path making sure the server will respond to the client THROUGH the ACE.
Here is common topology you should use the nat on ACE.
client----- internet ---- router1 --- vlan10 -- ACE --- vlan 20 --- router2 --- serverfarm -- server1
| |
eth1 eth2
|_______________________________|
Let's say
client ip : 64.1.1.1
server1 : 40.1.1.1
vip address on vlan 10 of ACE : 10.1.1.10
int vlan 10 of ACE is : 10.1.1.1
int vlan 20 of ACE is : 20.1.1.1
int eth1 of router1 : 30.1.1.1
int eth2 of router2 : 30.1.1.2
1. client sends tcp request to the vip address. So the first packet will be tcp syn and its address should be source with client ip : 64.1.1.1 and dest with vip address on vlan 10 of ACE : 10.1.1.10.
2. If there is no routing issue, this request should get to the ACE and the ACE will go through classification to see if the request hits the vip or not.
3. If the request hits the vip, then the ACE will make forwarding decision to the serverfarm. When this happens, the ACE will be doing destination natting. i.e. the ACE will only replace the dest ip from vip to server1. So the address should be like source with client ip : 64.1.1.1 and dest with server1 : 40.1.1.1.
4. When the server receives this request, the server1 will respond to the client 64.1.1.1. So the reponse packet should be syn/ack and its address should be source with server1 : 40.1.1.1 and dest with client ip : 64.1.1.1.
5. This response will get to the router2 and if the router thinks shortest path to the client1 is via eth2, then the response will bypass the ACE.
6. This is the problem I said earlier as asymmetric routing.
7. The client sends the request with client ip : 64.1.1.1 and dest with vip address on vlan 10 of ACE : 10.1.1.10 but the response with source with server1 : 40.1.1.1 and dest with client ip : 64.1.1.1.
8. The client will reset the connection.
So let's apply dynamic natting to the ACE to avoid this sort of failure.
access-group input any
class-map match-all CUSOMERC-VIP
2 match virtual-address 10.1.1.10 tcp eq www
policy-map multi-match VIPs
class CUSOMERC-VIP
loadbalance vip inservice
loadbalance policy CUSOMERC-POLICY-L7
loadbalance vip icmp-reply active
nat dynamic 20 vlan 20
interface vlan 10
ip address 10.1.1.1 255.255.255.0
service-policy input VIPs <<<<-----
access-group input any
interface vlan 20
ip address 20.1.1.1 255.255.255.0
access-group input any
nat-pool 20 20.1.1.30 20.1.1.30 netmask 255.255.252.0 pat <<<-----
Now two things to remember.
+ We apply the service policy to the incoming interface which is int vlan 10 in this case.
+ We need to change the client source ip to the natted ip as per the nat-pool. This should be applied to the outgoing interface vlan 20.
So thus a sequence to process the dynamic natting for the request should be
service-policy input VIPs --> policy-map multi-match VIPs ---> class CUSOMERC-VIP ----> loadbalance policy CUSOMERC-POLICY-L7 ---> nat dynamic 20 vlan 20
Step1. request comes to int vlan 10. Then it will check "service-policy input VIPs".
Step2. since the service policy applied to the int vlan 10, it will check "policy-map multi-match VIPs".
Step3. "policy-map multi-match VIPs" comtains only one class-map which is "class CUSOMERC-VIP" and the ACE will check if the request hits the vip defined on the class-map.
Step4. Once it verifies if this is good request, then the ACE will find associated "policy-map type". The policy-map type basically perform "forwarding deciscion" which is load balaincing to the serverfarm.
Step5. However, we has defined one more condition to perform "natting" with " nat dynamic 20 vlan 20".
Step6. when the ACE performs the natting, it will change the client source ip to the natted ip with nat-pool 20 which applied on int vlan 20.
I hope this clarifies your question.
-Andrew
02-07-2011 09:17 AM
it does
thx!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide